[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

Tue, 21 Jul 2020 07:14:03 -0700 

Lucas_Werkmeister_WMDE added a comment.


  > **General Security Issues**
  >
  > 1. `njsscan` did find some potential issues with vue's `v-html` attribute.  
I'd guess most of these are false positives given that they render messages 
which shouldn't be vulnerable as they are used within the TypeScript app and 
likely secure content-rendering functions (`title`, `getBodyMessage`, 
`referenceHTML` et al).  Still posting the results here (P11942) for review and 
confirmation with a probable **Risk: {icon check-circle color=green} low**.
  
  I looked at these earlier and thought they all looked like false positives, 
but I seem to have lost access to the paste now for some reason, so I can’t say 
for sure. But looking through v-html codesearch results 
<https://codesearch.wmcloud.org/search/?q=v-html&files=%5C.vue%24&repos=Extension:Wikibase>:
  
  - All instances of `v-html="$messages.get( … )"` should be safe. 
`$messages.get()` is a wrapper around mw.message().parse() 
<https://www.mediawiki.org/wiki/Manual:Messages_API#Using_messages_in_JavaScript>,
 where `mediawiki.jqueryMsg` (which our app module depends on 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/includes/DataBridge/DataBridgeResourceLoaderModules.php#89>)
 will escape HTML. (See also T115888.)
  
  - `<span v-html="title" />` in AppHeader.vue 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/AppHeader.vue>
 should be safe. `title` is a getter wrapping `$messages.get()`, see above.
  
  - `v-html="messageHeader"` and `v-html="messageBody"` in 
ErrorPermissionInfo.vue 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/ErrorPermissionInfo.vue>
 should be safe. `messageHeader` and `messageBody` are properties of the 
component; `ErrorPermission.vue` fills them with its `getMessageHeader()` and 
`getMessageBody()` methods, respectively, which both wrap `$messages.get()`, 
see above.
  
  - `v-html="getBodyMessage"` in License.vue 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/License.vue>
 should be safe. `getBodyMessage` is a getter wrapping, you guessed it, 
`$messages.get()`.
  
  - `v-html="referenceHTML"` in ReferenceSection.vue 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/ReferenceSection.vue>
 should be safe. `referenceHTML` comes from the `renderedTargetReferences` 
array in the app state, which is populated in the renderReferences action 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/store/actions.ts#120>
 using the ApiRenderReferencesRepository 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/data-access/ApiRenderReferencesRepository.ts>,
 which gets the HTML from the wbformatreference API 
<https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/includes/Api/ApiFormatReference.php>,
 where the HTML ultimately comes from a `Parser` based on wikitext input.
  
  - `v-html="message"` in ReportIssue.vue 
<https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/ReportIssue.vue>
 should be safe. `message` is a getter wrapping `$.messages.get()`.

TASK DETAIL
  https://phabricator.wikimedia.org/T249039

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: sbassett, Lucas_Werkmeister_WMDE
Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, 
Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, 
Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, 
LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, 
Mbch331, Legoktm

_______________________________________________
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

Reply via email to